Ownership assigns accountability. Accountability helps ensure that adequate security protection is maintained. Owners of major assets should be identified and assigned responsibility for maintenance of appropriate security measures. The implementation of the security measures may be delegated, but the owner of an asset will remain ultimately accountable for its protection.
The information owner should be the individual or position in the organization who has fiduciary responsibility for the information. This person should understand the responsibility of maintaining the security of the information. This individual should be able to help define the value of the information. The owner of a resource will need to evaluate it to be assured that the resource receives the appropriate level of security.
The asset owner is responsible for determining the value of the information asset as well as assigning a security classification to the information. The owner will be expected to have significant input to the handling procedures for the information.
The creator of the information usually has a good understanding of the value of the information and often controls the utilization of the information. He often feels a personal ownership of the information.
The person who is responsible for maintaining the information, controlling its use, and ensuring its integrity is often selected to be its owner, since the maintainer has the greatest control over the information. Assigning fiduciary responsibility can help ensure proper management.
The manager of the user community for the information has a vested interest in the information, since it is his people who rely on it for their work. This person would be the first choice to be the information owner. However, the user community does not always have a single manager who is responsible for their work.
Determining who should be the owner of an information item can be as easy as evaluating who would have the greatest impact on its business function if it suffers a loss.